{
 "cells": [
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# T1531 - Account Access Removal",
    "\n",
    "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.\n\nAdversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Atomic Tests"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "#Import the Module before running the tests.\n# Checkout Jupyter Notebook at https://github.com/haresudhan/TheAtomicPlaybook to run PS scripts.\nImport-Module /Users/0x6c/AtomicRedTeam/atomics/invoke-atomicredteam/Invoke-AtomicRedTeam.psd1 - Force"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #1 - Change User Password - Windows\nChanges the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account \"AtomicAdministrator\" with\nthe password \"HuHuHUHoHo283283\".\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nnet user AtomicAdministrator User2ChangePW! /add\nnet.exe user AtomicAdministrator HuHuHUHoHo283283@dJD\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1531 -TestNumbers 1"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #2 - Delete User - Windows\nDeletes a user account to prevent access. Upon execution, run the command \"net user\" to verify that the new \"AtomicUser\" account was deleted.\n\n**Supported Platforms:** windows\nElevation Required (e.g. root or admin)\n#### Attack Commands: Run with `command_prompt`\n```command_prompt\nnet user AtomicUser User2DeletePW! /add\nnet.exe user AtomicUser /delete\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1531 -TestNumbers 2"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "### Atomic Test #3 - Remove Account From Domain Admin Group\nThis test will remove an account from the domain admins group\n\n**Supported Platforms:** windows\n#### Dependencies:  Run with `powershell`!\n##### Description: Requires the Active Directory module for powershell to be installed.\n\n##### Check Prereq Commands:\n```powershell\nif(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1}\n\n```\n##### Get Prereq Commands:\n```powershell\nAdd-WindowsCapability -Online -Name \"Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0\"\n\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1531 -TestNumbers 3 -GetPreReqs"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "#### Attack Commands: Run with `powershell`\n```powershell\n$PWord = ConvertTo-SecureString -String password -AsPlainText -Force\n$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList domain\\super_user, $PWord\nif((Get-ADUser remove_user -Properties memberof).memberof -like \"CN=Domain Admins*\"){\n  Remove-ADGroupMember -Identity \"Domain Admins\" -Members remove_user -Credential $Credential -Confirm:$False\n} else{\n    write-host \"Error - Make sure remove_user is in the domain admins group\" -foregroundcolor Red\n}\n```"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "Invoke-AtomicTest T1531 -TestNumbers 3"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Detection",
    "\n",
    "Use process monitoring to monitor the execution and command line parameters of binaries involved in deleting accounts or changing passwords, such as use of [Net](https://attack.mitre.org/software/S0039). Windows event logs may also designate activity associated with an adversary's attempt to remove access to an account:\n\n* Event ID 4723 - An attempt was made to change an account's password\n* Event ID 4724 - An attempt was made to reset an account's password\n* Event ID 4726 - A user account was deleted\n* Event ID 4740 - A user account was locked out\n\nAlerting on [Net](https://attack.mitre.org/software/S0039) and these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Shield Active Defense\n### System Activity Monitoring \n Collect system activity logs which can reveal adversary activity. \n\n Capturing system logs can show logins, user and system events, etc.  Collecting this data and potentially sending it to a centralized location can help reveal the presence of an adversary and the actions they perform on a compromised system.\n#### Opportunity\nThere is an opportunity to create a detection with a moderately high probability of success.\n#### Use Case\nA defender can implement monitoring to alert if a user account is altered outside normal business hours, from remote locations, etc.\n#### Procedures\nEnsure that systems capture and retain common system level activity artifacts that might be produced.\nMonitor Windows systems for event codes that reflect an adversary changing passwords, adding accounts to groups, etc."
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": ".NET (PowerShell)",
   "language": "PowerShell",
   "name": ".net-powershell"
  },
  "language_info": {
   "file_extension": ".ps1",
   "mimetype": "text/x-powershell",
   "name": "PowerShell",
   "pygments_lexer": "powershell",
   "version": "7.0"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}